]> git.ipfire.org Git - thirdparty/pdns.git/commitdiff
YaHTTP: Prevent integer overflow on very large chunks 13078/head
authorRemi Gacogne <remi.gacogne@powerdns.com>
Wed, 8 Mar 2023 17:25:30 +0000 (18:25 +0100)
committerOtto Moerbeek <otto.moerbeek@open-xchange.com>
Wed, 26 Jul 2023 08:00:32 +0000 (10:00 +0200)
If the chunk_size is very close to the maximum value of an integer,
we trigger an integer overflow when checking if we have a trailing
newline after the payload.
Reported by OSS-Fuzz as:
https://oss-fuzz.com/testcase-detail/6439610474692608
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56804

(cherry picked from commit b602982fc5b4fb9139dec591541e0c070ceb47f5)

ext/yahttp/yahttp/reqresp.cpp

index dc49cb64f60125004a15fabc6d30bcf850af37c0..e5f9c95eccd93bfbf9db5acacfdbf2b8240c949a 100644 (file)
@@ -1,5 +1,7 @@
 #include "yahttp.hpp"
 
+#include <limits>
+
 namespace YaHTTP {
 
   template class AsyncLoader<Request>;
@@ -177,6 +179,9 @@ namespace YaHTTP {
             throw ParseError("Unable to parse chunk size");
           }
           if (chunk_size == 0) { state = 3; break; } // last chunk
+          if (chunk_size > (std::numeric_limits<decltype(chunk_size)>::max() - 2)) {
+            throw ParseError("Chunk is too large");
+          }
         } else {
           int crlf=1;
           if (buffer.size() < static_cast<size_t>(chunk_size+1)) return false; // expect newline